The Cloud Security Challenge
The term “cloud” has been popular in the business lexicon since 2006 when Amazon Web Services (AWS) launched its Elastic Compute Cloud (EC2). The latest Cloud Threat Report from Unit 42 shows that organizations continue to struggle with securing public cloud platforms some 13 years after the launch of EC2. The report highlights key insights on cloud threats based on intelligence gathered from multiple data sources between January 2018 and late June 2019.
Among other findings, the report shows:
- Shortcomings in on-premises patching habits are carrying over to the cloud. Unit 42 found more than 34 million vulnerabilities across various cloud service providers (CSPs). These vulnerabilities originate from the applications customers deploy to CSP infrastructure, such as outdated Apache servers and vulnerable jQuery packages. Researchers identified:
- 29,128,902 vulnerabilities in Amazon EC2
- 1,715,855 in Azure Virtual Machine
- 3,971,632 in GCP Compute Engine
Patching is a struggle, as many standalone vulnerability management tools lack cloud context and remain scattered across multiple consoles. Organizations need to consolidate tools in order to create a cloud-centric view.
- Default and unsecured container configurations are rampant. Unit 42 research reveals more than 40,000 container systems operate under default configurations. This represents nearly 51% of all publicly exposed Docker containers. Many of the systems identified allowed for unauthenticated access to the data they contained. We recommend at least placing every container with sensitive data behind a properly configured security policy or an external-facing firewall that prevents access from the internet.
- Cloud complexity is yielding low-hanging fruit for attackers. Regarding publicly disclosed cloud security incidents, 65% were the result of misconfigurations. Organizations that had at least one Remote Desktop Protocol (RDP) service exposed to the entire internet amounted to 56%, despite the fact that all major cloud providers natively give consumers the ability to restrict inbound traffic. This represents an opportunity to consolidate cloud-based network controls with well-established on-premises management systems.
- Malware has extended its reach to the cloud. Unit 42 found 28% of organizations communicating with malicious cryptomining C2 domains operated by the threat group Rocke. We have been closely tracking the group and noted the group’s unique tactics, techniques and procedures (TTPs), giving them the ability to disable and uninstall agent-based cloud security tools. Timely and consistent patching schedules for cloud-based systems are an expedient way to slow similar malware threats.